MEET rodger! Our software for managing GDPR requests that ensures that GDPR request you receive is legally perfect. As you probably expect, rodger processes personal data and we would like to share in a transparent manner what is our position in these processing activities and how and why personal data is processed.
Being an EU-based company, we must comply with the EU general data protection regulation (the “GDPR“) provisioning your individual rights when processing the personal data.
Below we answer the basic questions regarding the processing of personal data when providing our Services in the light of Art. 13 and 14 GDPR.
Why do we process your personal data?
Generally, we need to process your personal data in order to:
▪ Provide the Service to our clients;
▪ Meet our legal or contractual obligations;
▪ Pursue our legitimate interests.
What are our purposes of processing personal data and what legal grounds are they based on?
We provide our software as a processor on behalf of our clients using the Services for the following purpose:
Description of the purpose and our position
Handling data subject requests
We act as data processors on behalf of our clients who use rodger / our Services on the basis of a data processing agreement concluded with them. Clients use the Services in order to facilitate your (data subjects’) rights under GDPR. If you have question about this please contact your controller.
However besides providing Services we may process personal data as a controllers for the following purposes:
Legal ground according to GDPR
Description of the purpose and our position
Development, Improvement & Testing
Legitimate interest pursuant to the Art. 6 (1) f) of the GDPR
As a software developer we need to be able to continuously develop, improve, maintain and test our software which we regard our own legitimate interest. This typically includes removal of bugs, general analysis of software, development of updates or features analysis of user trends etc. We process these personal data as a controller.
Security of personal data
Compliance with legal obligation the Art. 6 (1) c) of the GDPR
Article 32 of the GDPR obliges us to secure processing of personal data. As a controller we want to provide best software solution possible including security and with this aim we want to avoid any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Billing, Tax & Accounting
Compliance with legal obligations pursuant to the Art. 6(1)(c) of the GDPR
We process personal data of our clients stated on the invoices issued for purchasing Services as a controller. We follow specific statutory obligations prescribed by accounting and tax legislation.
Legitimate interest pursuant to article 6 (1) f) GDPR: establishment, exercise or defense of legal claims of the company.
As a controllers within negotiations and communication about contractual relations, recovery of claims, disclosure of facts by public authorities and similar activities we establish, defend and exercise legal claims of our company. Hence, we rely on our legitimate interest.
Raising awareness about the Services in the online environment
Legitimate interest pursuant to article 6 (1) GDPR: raising awareness about Services in the online environment.
When publishing content on our social networks (especially Facebook and LinkedIn) and on our website, we may process personal data including profiling as a controller. We use basic analytics tools like Google Analytics, especially for tracking traffic, trends and success of our campaigns.
Consent pursuant to article 6 (1) a) GDPR or legitimate interest pursuant to article 6 (1) f) GDPR: direct marketing purposes.
The purposes of direct marketing may constitute legitimate interests within the meaning of recital 47 of the GDPR. As a controller we rely mainly on pertinent legitimate interest mainly while sending a marketing communication in the form of a newsletter or post or in cases where the prior consent of the addressee of the communication is not required under applicable law.
Any other legal ground of above purposes (compatible purposes) in light of article 89 GDPR.
As a controller we create aggregated statistical data based on the processing of personal data for the purposes stated above.
Who are recipients of your personal data?
We provide personal data of our clients and other natural persons only to the extent necessary and always while maintaining the confidentiality of the data recipient. Our typical recipients are sub-contractors that support us in providing the Services who might process personal data for us e.g. hosting or cloud service providers, marketing and analytical software service providers, social network operators and authorized personnel of the above. We ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR. Although we have a limited obligation to provide your personal data to public authorities for reasons of confidentiality, we are required to contravene the crime and we also have the obligation to communicate information on the prevention of money laundering and terrorist financing.
What countries do we transfer your personal data to?
In general, we try to set up the processing of personal data by our company
in way that personal data are not transferred to third countries outside
the European Economic Area (EU, Iceland, Norway and Liechtenstein). Email
communication and electronic copies of all documentation related to our
activity remain stored on servers located in the territory of the Slovak
Republic. However, we also use the services of some leading suppliers as
the Google, LLC., Facebook, Inc. and Microsoft Corporation. We use them for
the purposes of developing and offering the Services and our online
activities on the web, search engines, social networks, and marketing.
These suppliers and facilities are located in the United States of America,
which is generally regarded as a third country that does not ensure an
adequate level of protection. However, companies that have been certified
in the so-called “EU-US Privacy Shield” mechanism are considered as
countries ensuring adequate protection of personal data such as EEA/EU
countries according to the EU Commission's decision. If, however, we are
conducting a cross-border transfer of personal data to third countries, we
do so only on the basis of the adequacy decision of European Commission
(such as EU-US Privacy Shield) or require other safeguards to protect
personal data (e. g, conclusion of model contract clauses.
How long do we store your personal data?
Where we process your personal data on behalf of our clients, the retention periods are set-out by our clients and we have no control over that. As soon as our contract with clients ends, we are under obligation to either return all personal data to clients or securely erase all personal data, at the choice of the client. The same applies to our own purposes of processing which are undertaken only on personal data currently processed by us for clients. If our contract with a client ends – by default – we do not keep your personal data for our own purposes. This way, we comply with basic principles relating to processing of personal data such data minimization, storage limitation and purpose limitation.
How we collect your personal data?
If you are our client, we often obtain your personal data directly from you. In that case, obtaining your personal data is voluntary. If you are not our client, we often obtain your personal data from our clients processing your personal data as a controller.
What rights do you have?
“If we process personal data based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.”
“You have a right to object to any processing that is based on legitimate interest or public interest as well as to any direct marketing purposes including profiling.”
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.
Among others, you have:
▪ Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible;
▪ Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you;
▪ Right to erasure of personal data according to Article of the 17 GDPR;
▪ Right to restriction of processing according to Article 18 GDPR;
▪ The right to data portability according to Article 20 GDPR.
We do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data in light of Article 22 GDPR.
You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent data protection authority is the Office for Protection of Personal Data of the Slovak Republic. In any case we advise to primarily consult us with your questions or requests.
See articles 12-22 GDPR: http://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=CELEX:32016R0679&from=EN